Editorial

Public DNS providers: Do they actually improve your experience?

Services such as OpenDNS, and Google's Public DNS have recently attracted a lot of attention due to their claims to speed up web browsing simply by changing the DNS servers your computer uses to resolve domain names into IP addresses. The basic idea behind the services is that many ISP's do not invest heavily in their own DNS infrastructure, which can result in slow response times, particularly at busy times of day. By creating a network of servers specifically to serve high levels of DNS traffic, these companies hope to improve the experience for end users, but is this the reality?

Firstly, we should examine the fact that while your ISP will host its DNS resolvers within its network, to which your modem has a connection, 3rd-party services such as OpenDNS and Google's offering are not directly connected. This means your query has to travel further to reach the server which will perform the resolution on your behalf, and on the Internet, longer distance = longer response time. There may be some ISPs around the world where their internal network is so complex or badly designed that the round trip between your computer and the DNS resolvers at your ISP takes longer than a round trip to those provided by a 3rd-party, but companies these days are generally more competent, so this is unlikely.

So, how does the DNS response time affect actual browsing speed? The answer is very little. When you first visit a website, your computer will make a query to discover the IP address of the server hosting that site, and upon receiving the response, will store the IP address information in a local cache, meaning that future requests for that website will not generate a further DNS query. This data is held in the cache until an amount of time specified in the DNS reply has expired (called a time-to-live). So whilst using a faster DNS server may speed up your first load of a webpage, it will not affect the time it takes to load the next page on that website, so in real terms, the saving is minimal, in the order of a few milliseconds.

What then, are the pitfalls? With the growth of user-generated content, and the expansion of software-as-a-service, many companies are looking to CDNs (Content Delivery Networks) to deliver their content to the users. The principle of a CDN is that there are a number of widely distributed nodes located around the world, with identical copies of the content the site owner wishes to serve. When a user requests a specific piece of content, it is delivered by the CDN node that is closest to them. This results in far improved speeds, and thus better experience for the user, and can also help to reduce bandwidth bills for the site owners.

Where does DNS fit into this? DNS is the mechanism by which most CDNs will direct your request to the nearest node for content delivery. When you request content stored on a CDN, your browser must first resolve the IP address of the server hosting the content. To do this, it sends out a DNS query to the DNS servers configured on your computer, these then pass the query on to the nameservers that actually host the domain. The nameservers perform a check to see which of the CDN nodes is closest to the server making the request, and return the IP address corresponding to that server.

The issue here is that while your ISP's DNS servers are generally located near to you, or at least, would take a similar path across the Internet from your ISP's network, to the website's nameservers, 3rd-party DNS servers will not be. This can result in receiving the IP address of a CDN node which is not optimal for your location, but rather, optimal for the location of the 3rd-party DNS servers. While the query and response may have happened faster, you are now forced to load the content from a sub-optimal CDN node, which can affect your browsing experience far more. A DNS query is a matter of a few kilobytes, and transfers quickly, but content served via CDN nodes is often images or videos, which are much larger, and a slower connection here will be far more noticeable.

Many of these DNS providers have a good presence in the US, but OpenDNS's Network Map shows that it is lacking in servers outside of this region. This means that while a number of CDN owners operate nodes in Asia, users from that region who make use of the OpenDNS service would be directed instead to US based nodes, which they would access over the much slower pacific links.

OpenDNS offers a number of features on top of just performing DNS resolution, including content filtering and phishing protection, which may be useful to some, but if your primary reason for using a 3rd party DNS service is to speed up your web browsing, it may be worth giving it a second thought. Especially if you frequent websites which make heavy use of CDNs such as Facebook and Youtube.

Report a problem with article
Previous Story

Boxee Box release pushed to November

Next Story

Antitrust probe looms for Apple's iAd platform

98 Comments

Commenting is disabled on this article.

As far as speed I would agree with many that state the noticeable speed difference is very minimal. But, OpenDNS rocks for adding an additional layer of filtering that's FREE! Combine it with K9 web protect, No Script, Adblock Plus and Malwarebytes/Adaware/MSSE. That's a pretty decent way to try and keep as much of the crap/spy/rogue/ransomware and other traditional threats off your computer. It's NOT perfect and I'm not purporting such a configuration to be foolproof! Adding as many easily managed layers as possible can help you stay free of such dangers online and using common sense helps. That's what I like about Open DNS from an administrators point of view.

If they didn't improve anything, they wouldn't be as popular as they are. I know for a fact OpenDNS is faster than Roadrunners DNS. Sure Roadrunners DNS is fine at night time, but anytime during the day when its busy, its bogged down to the point its extremely annoying. I noticed a huge performance increase after I dumped the Roadrunner DNS.

I would never trust any DNS server run by Google. You can pretty much bet that they will record everything and keep it forever.

My College tried to maintain their own DNS and it sucked a lot, thus my need for OpenDNS. But, now that I'm not there anymore, my local ISP has an excellent DNS and I don't need it anymore.

Plus you can occasionally use public DNS offerings to bypass captive portals at WiFi cafes and hotels etc depending on how they implement it.

My ISP is kind of in the same boat. Excellent service, connection quality is rock solid and fast, but I swear they bought their DNS servers at WalMart. OpenDNS has been pretty good to me. If my ISP's servers were more reliable I'd stick with theirs, but since they go down more often than I would rather deal with, I'm staying with OpenDNS. In my case anyway, my overall "internet experience" has improved.

My ISP's DNS servers are well known for the slow response times and during peak hours, sometimes quit working all together. All of my friends and family who share the same ISP with me complain of the same problems, where the internet "quits working" So I've set their DNS servers to a third party and they haven't had trouble since. So yes, in the case of my ISP they do improve mine, and everyone's experience.

So wait, Dave's writing editorials on his university notes or what? Don't really see the point in this article o_O it's kind of a long winded way of saying if the servers farther away the longer it will take for IP resolution, well no way I would've never guessed!!!! !!!

Maybe I'll write an article about Fibre Optic vs Ethernet >.>

It's nothing to do with University

It also seems you have missed the point of the article. My main point is the selection of sub-optimal CDN servers, which are becoming more and more popular as UGC grows on the web, the rest is there for the sake of completeness.

Your point makes sense when you look at CDN servers that use dns to route to the closest server, but in my experience most use BGP to do the routing. BGP allows servers in multiple locations to all share an IP address. In which case unless something is wrong on your ISPs routers you will get to the closest location. On the other hand if one of the servers or locations are down you should still get the content from another server that is up. Having DNS hand out multiple addresses based on the IP of the requesting DNS server is the wrong way to set up a CDN.

i belive it can be a good idea to use them. say your trying to connect something and it don't work. by using say the opendns servers you could get that something to actualy connect.

The part I find interesting is that there is always a few loosers that will say DNS routing does not work, but never offer a solution to make it better.

Using a public DNS server CAN make borwsing faster. IT could make the time beweeen when you type in the page in the address bar and when it starts loading much faster.

With my isps dns server there is literally a 3 second pause before first loading the page since the browser is waiting for the dns server to resolve.

When I switched to open dns the resolving was much quicker and instantly started loading the page.

So yes there would be a speed boost since it would take LESS time to start actuallly loading the page.

The first time you load the page, yes, but after that it's cached. The main point of the article, that a lot of people seem to have totally missed, is that it can lead to directing to you to CDN that is not the optimal one for your location, causing content on the page such as images and videos to load slower.

I don't like the conclusions drawn by this article. Ultimately, the speed of response of a user's DNS servers is almost a completely individual experience.

Some ISPs DNS servers are well designed and maintened. Their users don't see much benefit, speedwise, in switching to public DNS servers. On the other hand, there are ISPs whose DNS servers are abysmal. A case in point is O2. Until recently, their DNS servers would stop responding to requests for ten seconds or more at a time. This gave users the impression that their entire Internet connection had simply stopped working. In this case, switching to public DNS servers made a huge difference.

This article could really be written in two lines: "Do public DNS servers actually improve your experience? Only if they're faster than your ISPs."

But again, would you rather have an extra few milliseconds to wait (if your ISP DNS servers are slower) and be properly geolocated by most CDNs, or use a marginally quicker-resolving DNS server, only to be wrongly geolocated by some CDNs.

bmaher said,
But again, would you rather have an extra few milliseconds to wait (if your ISP DNS servers are slower) and be properly geolocated by most CDNs, or use a marginally quicker-resolving DNS server, only to be wrongly geolocated by some CDNs.

The benefits better performing DNS far outweigh the handful of CDNs who will be affected by this for a lot of people, especially those who know anything about the state of DNS security.

ascendant123 said,

The benefits better performing DNS far outweigh the handful of CDNs who will be affected by this for a lot of people, especially those who know anything about the state of DNS security.

DNS has its issues, that are being resolved partly by the introduction of DNSSEC, but until the point where all domains implement it, all DNS servers are going to be vulnerable to DNS cache poisoning attempts. Some will be better than others, and I see that OpenDNS uses source port randomisation, but then so do many other DNS implementations, such as Bind (the most popular DNS server software on the internet) since recent updates.

DaveLegg said,

DNS has its issues, that are being resolved partly by the introduction of DNSSEC, but until the point where all domains implement it, all DNS servers are going to be vulnerable to DNS cache poisoning attempts. Some will be better than others, and I see that OpenDNS uses source port randomisation, but then so do many other DNS implementations, such as Bind (the most popular DNS server software on the internet) since recent updates.

While source port randomisation has its benefits (when correctly combined with a cryptographically secure PRNG and a nonce) it is largely mitigated by PAT at the consumer level which makes it kind of a hollow offering. There are 20+ other security measures that are almost always missed such as TSIG/TKEY implementations, BIND ACLs, and slave server zone transfer security.

Fortunately DNSSEC is due to go live to root servers A to M next month which should give it some much needed publicity. It brings with it new records (RRSIG, DNSKEY, DS, NSEC) and digitally signs all communication with the server; many DNS servers implement this but it is relatively rare at the ISP level. While BIND9 thoroughly supports DNSSEC and TSIG unfortunately the vast majority of ISPs are running something around BIND8; one of the most insecure releases since 4.

If you are interested in more of the technical details of the security behind modern DNS hit me up. It's my job.

DaveLegg said,

I'm sure the rollout date was May 5th? I did an article a few weeks back debunking what people were saying about the rollout crippling the internet for many people: http://www.neowin.net/news/dns...5th---internet-will-live-on

Yep May 5 was the go live date for 13 of the boxes. There are a number of physical boxes behind these 13 addresses that weren't all switched on at once/serve clients with a much larger TTL (who therefore wouldn't be impacted for a period of time). There were also a number of standards within EDNS0 that were not immediately enabled to minimise impact by staging the release.

The 100% live time guarantee is July 1, 2010.

DNSSEC has actually been available on most of the 13 addresses since mid-2009. More info at: http://www.dnssec-deployment.org/ although the official deployment PDF is way out of date ('07).

using the software suggested by @Buio

max cached/uncached/dotcom lookup (in seconds).
my isp dns: 0.163/0.395/0.343
google :0.237/0.596/0.455
speakyeasy.net :0.279/0.454/0.399
opendns: 0.275/0.952/0.500

Conclusion :
-My isp dns is fast than the rest of free alternatives.
-Second :Google is, amongst other free (public dns) alternatives, the faster.
-Third: Speakeasy (who?) is a nice alternative.
-Four :OpenDNS is slow in comparison with Google and Speakeasy. It almost double the time than the dns from my isp.

Google DNS servers are about the slowest on the list when testing with dns benchmark, for me.

I don't like OpenDNS scanning my connection like they do, so don't use them anymore either.

The 2 dns servers I use are actually from the sprint network and they don't redirect me to some page of their choosing either when a page isn't found.

These dns servers do maybe make surfing feel a little snappier, but not enough to be going hog wild over it!!

We use open dns for all our customers networks simply for the protection offered, its part of defence in depth - we set the firewall to only allow DNS resolution from the local DNS server which all clients use, and that server has open DNS as forwarders.
This allows us to re brand the open DNS page with our company logo for non resolvable domains, plus we block known phishing and scam sites at the DNS level.
We obviously use firewalls and other methods but open DNS allows 90% of crap to be blocked at the DNS level freeing up the firewall and other resources and generally gives better performance and security.
Like anything though its a case of what do you want out of it and what do you get, we like it.

Most people seem to have missed the point entirely.

The article is about using a third party DNS to speed up browsing.

It doesn't discuss their merits in terms of being more reliable or providing other features, though these are clearly acknowledged. So if you use a third party DNS for reasons *other* than speed, that's great, but it's not really relevant to this as far as I can see.

Further, most people responding that their third party DNS is better than their ISPs seem to be quoting North American ISPs, which again are less relevant:

"Many of these DNS providers have a good presence in the US, but OpenDNS's Network Map shows that it is lacking in servers outside of this region. This means that while a number of CDN owners operate nodes in Asia, users from that region who make use of the OpenDNS service would be directed instead to US based nodes, which they would access over the much slower pacific links."

Laura said,
Most people seem to have missed the point entirely.

The article is about using a third party DNS to speed up browsing.

It doesn't discuss their merits in terms of being more reliable or providing other features, though these are clearly acknowledged. So if you use a third party DNS for reasons *other* than speed, that's great, but it's not really relevant to this as far as I can see.

Further, most people responding that their third party DNS is better than their ISPs seem to be quoting North American ISPs, which again are less relevant:

"Many of these DNS providers have a good presence in the US, but OpenDNS's Network Map shows that it is lacking in servers outside of this region. This means that while a number of CDN owners operate nodes in Asia, users from that region who make use of the OpenDNS service would be directed instead to US based nodes, which they would access over the much slower pacific links."

The article is bout using them in general not using them in one country or another. So we arent missing the point.

PeterUK said,
I just run BIND...

Which recurses to where... You don't just install bind; it's not authoritative for the entire internet. It still has to provide non-authoritative answers through another DNS server.

ascendant123 said,

Which recurses to where... You don't just install bind; it's not authoritative for the entire internet. It still has to provide non-authoritative answers through another DNS server.


Still better than a Public DNS once you got the answer its cached locally.

PeterUK said,

Still better than a Public DNS once you got the answer its cached locally.

I was implying you combine the two . A local BIND install that recurses to a public DNS would indeed be the best solution.

ascendant123 said,

I was implying you combine the two . A local BIND install that recurses to a public DNS would indeed be the best solution.


You do not resolve to a public DNS you go from root to TLD to Authoritative DNS with no need to go to a public DNS.

For an easy set up treewalk

PeterUK said,

You do not resolve to a public DNS you go from root to TLD to Authoritative DNS with no need to go to a public DNS.

For an easy set up treewalk

Wait, where does your install forward to?

ascendant123 said,

Wait, where does your install forward to?


To root.

Public DNS like your isp or opendns do the same to get you an answer which could be cached so you get the answer quickly if its not cached the server has to go to root which pionts it to a TLD and then the Authoritative DNS that gives the answer to the isp or opendns server to cache and then to you.

PeterUK said,

To root.

Public DNS like your isp or opendns do the same to get you an answer which could be cached so you get the answer quickly if its not cached the server has to go to root which pionts it to a TLD and then the Authoritative DNS that gives the answer to the isp or opendns server to cache and then to you.

Which root? There are 13 root nameservers right now labelled A to M of which only a handful are guaranteed to be operational at any one time (rotated for maintenance, etc and targeted using anycast). What actual IP do you have BIND configured to forward unanswerable requests to? I assume you don't actually install the root zone file in your local install?

ascendant123 said,

I assume you don't actually install the root zone file in your local install?

Yes...how else do you think I done it.

Treewalk does the same thing and uses the same named.root

PeterUK said,

Yes...how else do you think I done it.

The root zone file is not the same root zone file you are thinking of. named.root as provided by InterNIC is just the list of the 13 name servers. Using it does make sense but in a lot of cases you are better off not using it and using a forwarder in your named.conf that forwards requests to your ISPs DNS or a public DNS as it has a much larger cache (root name servers do not cache individual domains as a large cache public DNS would, and therefore hits on new domains or expires are more costly).

Apologies for quizzing you I was just curious on the details of the implementation as actually forwarding to root is very uncommon (root NS aren't really meant to serve that purpose).

Edited by DaveLegg, Jun 12 2010, 3:00pm :

ascendant123 said,

The root zone file is not the same root zone file you are thinking of. named.root as provided by InterNIC is just the list of the 13 name servers. Using it does make sense but in a lot of cases you are better off not using it and using a forwarder in your named.conf that forwards requests to your ISPs DNS or a public DNS as it has a much larger cache (root name servers do not cache individual domains as a large cache public DNS would, and therefore hits on new domains or expires are more costly).

No forwarder is setup here. Really take a look at Treewalk thats how it is setup here.
http://treewalkdns.com

Bind comes with a 'root hint' zone file, which simply contains:

. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30

With an entry for each root server. When the DNS server isn't able to provide a response from it's own zones, and is not setup for forwarding, then it will perform a recursive query, starting from the roots, to locate the domain requested (caching intermediate results as it goes)

DaveLegg said,
Bind comes with a 'root hint' zone file, which simply contains:


With an entry for each root server. When the DNS server isn't able to provide a response from it's own zones, and is not setup for forwarding, then it will perform a recursive query, starting from the roots, to locate the domain requested (caching intermediate results as it goes)

Yep; this is much different to the root zone file I asked about ^ (which is a zone file containing the addresses of the NS authoritative for the 750 or so TLDs) which I have unfortunately seen a few people using. Root hint files are functional but in almost all cases you are better off using a forwarder.

A forwarder is also more secure.

ascendant123 said,

Yep; this is much different to the root zone file I asked about ^ (which is a zone file containing the addresses of the NS authoritative for the 750 or so TLDs) which I have unfortunately seen a few people using. Root hint files are functional but in almost all cases you are better off using a forwarder.

A forwarder is also more secure.


Just to put it another way.
http://upload.wikimedia.org/wikibooks/en/6/68/Iterative.jpg

The requesting host and local dns server can be put on any ones PC which is what Treewalk and how bind can be setup to resolve, recursive & cache your answers without forwarding.

A forwarder or local dns server is no more secure then running a local dns server on your PC because a forwarder has to rely on getting a answer the same way as if you run a local dns server.

The difference is that you can run the local dns server on 127.0.0.1 so that you can do recursive and get a answer be no one else from the internet can access your local dns server.

Edited by PeterUK, Jun 13 2010, 3:50am :

PeterUK said,

Just to put it another way.
http://upload.wikimedia.org/wikibooks/en/6/68/Iterative.jpg

The requesting host and local dns server can be put on any ones PC which is what Treewalk and how bind can be setup to resolve, recursive & cache your answers without forwarding.

A forwarder or local dns server is no more secure then running a local dns server on your PC because a forwarder has to rely on getting a answer the same way as if you run a local dns server.

The difference is that you can run the local dns server on 127.0.0.1 so that you can do recursive and get a answer be no one else from the internet can access your local dns server.

No no--I understand (thoroughly) how this works and I have written implementations of it. Treewalk primarily functions as a local DNS server which then uses a root hints file to answer requests for domains it is either a) not authoritative for or b) is not in its cache; the difference is that you have a choice between using a root hints file or a forwarder to answer these requests.

The difference in using a root hints file and a forwarder in terms of security is primarily that with a forwarder you minimise the risk of hijacking and poisoning by providing a single address of one name server that is the most secure you know of and has high availability. A root hints file does exactly what its name implies; it provides hints that can be overridden in any number of 100 different ways between your local TCP stack and your destination.

The other benefit of using a forwarder is that you have a chance of getting a 1 hit return on a cache-miss (i.e. accessing a site not in your cache has a chance of being in your forwarders cache) whereas using a root hints file you guarantee at least however many hops it takes to hit a root server, then for it to recurse to an authoritative TLD NS (as root servers do not cache non-authoritative TLDs). There are many thousands of configuration properties that can fine tune a root hints implementation to be fantastic but in almost all cases this is for experienced admins running high availability boxes specifically for that purpose (specifically things like fine tuning your caches TTL values and managing how cache hits and misses are handled etc).

Don't get me wrong; using a local root hints implementation is generally better then using your router (which sets your ISP as a forwarder) because most routers do not implement EDNS0 or correctly manage their cache. There's just better and "best" for everyones different situation. I was simply suggesting you check out the alternatives =)

Edited by ascendant123, Jun 13 2010, 3:48am :

My reliability improved, my ISP had DNS issues when the original companies merged their networks.
I could keep on surfin' the web without a hitch using openDNS services.

Since switching to OpenDNS I have noticed a significant speed increase in resolving domains. Most people who have also switched say the same

This sounds a bit silly, but how do I change my net so it refers to a custom DNS?

Considering people's responses to this article, I figured I want to try it out etc, but unfortunately the article failed to explain anything more than the bare concept.

LynxMukka said,
This sounds a bit silly, but how do I change my net so it refers to a custom DNS?

Network/Network Sharing Center. Find your device and change its properties. Select IPv4 from the list and click the properties button. Leave the IP info alone and set custom DNS servers below that.

I find my ISP's DNS a bit overloaded most of the time tbh. I've tried Google, OpenDNS and Level3, with the later usually doing the trick. A month ago though, I switched back to my ISP's (Otenet) DNS for the rest of Greece instead of those for my area, and things are much better.

My ISP's DNS servers go down with a distressing regularility. Easily 1 day a month I have troubles surfing anywhere at all. Not a connectivity problem, just no DNS.

Not a problem with Google's DNS servers. I'm saving an entire afternoon of pointless frustration, not just a few milliseconds.

I've considered OpenDNS, but there's something of a beartrap hiding there. Google isn't risk free either, since they undoubtly use it add to your IP's dossier, but at least they aren't trying to upsell you at the same time.

vcv said,
Just use 4.2.2.1 and 4.2.2.2.

This really isn't recommended unless you're with Level 3. Google on 8.8.8.8 is just as easy to remember and a much much better choice.

ascendant123 said,

This really isn't recommended unless you're with Level 3. Google on 8.8.8.8 is just as easy to remember and a much much better choice.
And why is that?

vcv said,
And why is that?

Level 3 are discouraging people from using it due to load and maintenance requirements. There has been talk of it coming down for a year or two now and they really have no obligation to keep it up. If you're a techy and in reasonable proximity to an L3 DNS (4.2.2.2 is resolved using anycast, so geographic proximity is almost irrelevant) then I imagine it would be fine to use so long as you remember when your DNS isn't working it could be that L3 took it down.

On the other hand 8.8.8.8 resolves to a much larger pool of DNS resolvers with much larger caches which probably aren't going anywhere in the foreseeable future.

EDIT: Probably also worth mentioning that L3 never set these up in the first place and have it running out of the goodness of their heart (public uproar). These were originally setup by BBN/Planet in 1998 and the 4.0.0.0/8 eventually changes hands to where it is today with L3. L3 then decided to continue to run publicly available services on the range as to not screw with a bunch of people who had it set as their primary resolver.

Edited by ascendant123, Jun 12 2010, 3:20am :

ascendant123 said,

Level 3 are discouraging people from using it due to load and maintenance requirements. There has been talk of it coming down for a year or two now and they really have no obligation to keep it up. If you're a techy and in reasonable proximity to an L3 DNS (4.2.2.2 is resolved using anycast, so geographic proximity is almost irrelevant) then I imagine it would be fine to use so long as you remember when your DNS isn't working it could be that L3 took it down.

On the other hand 8.8.8.8 resolves to a much larger pool of DNS resolvers with much larger caches which probably aren't going anywhere in the foreseeable future.

EDIT: Probably also worth mentioning that L3 never set these up in the first place and have it running out of the goodness of their heart (public uproar). These were originally setup by BBN/Planet in 1998 and the 4.0.0.0/8 eventually changes hands to where it is today with L3. L3 then decided to continue to run publicly available services on the range as to not screw with a bunch of people who had it set as their primary resolver.

4.2.2.1 and 4.2.2.2 are the Verizion FIOS defaults

Epic0range said,

4.2.2.1 and 4.2.2.2 are the Verizion FIOS defaults

Yep. AOL also recommend customers update their DNS to .1-.6 if they experience any issues much to Brett McCoy's (one of the original admins of them) dismay. The plus is if it's provided by DHCP it is much better managed then a bunch of computer illiterates not realising what's going on when things change.

Just changed mine to google from my ISP's normal one too see if it helps (i have isp problems all time) but it seems there are not any options to configue to block sites and what not i believe opendns does this no? Now my router can block sites is this just as good or would doing it at dns level be better?

ascendant123 said,
DNS level would be much better. It wouldn't retrieve anything at all whereas via your router sites are retrieved and then dropped.

Thanks for that they get annoying as they load so much crap slowing the computer down so have to block them. will try opendns see what i think =) unless anyone can suggest others lol

I use Google Public DNS. I have no complaints about the speed, but the main reason I use it is to avoid the ISP "helpful" search/ad pages that come up when you mistype a URL. Most larger ISPs do something like that these days and it sure is annoying...

Aaron44126 said,
I use Google Public DNS. I have no complaints about the speed, but the main reason I use it is to avoid the ISP "helpful" search/ad pages that come up when you mistype a URL. Most larger ISPs do something like that these days and it sure is annoying...

+1
especially here in China with our [in]famous GFW....

The answer is yes. Whole article speaks of technical ignorance The primary benefit of third party DNS is not speed; that is just a secondary benefit for some people in certain areas/ISPs.

The primary benefits of third-party DNS are security (cache poisoning, DNSSEC, IPv6, etc) and privacy. The only useful comment made in the entire article is that ISPs do not invest heavily in their DNS infrastructure which is correct.

The entire section on CDN's is wrong regardless. The use of a third-party DNS does not affect the CDN to which you are attached; while it is true CDNs typically use round-robin DNS and other DNS mechanisms to load balance to a CDN node they use your IP, not your DNS servers IP, to determine your location. If you have evidence otherwise, please reference it.

I just realised where you got your comments on CDN's and it's a 10 year old conference paper. The mechanisms that modern CDN's use are vastly changed.

The paper that you quote almost verbatim even mentions the inherent limitations with that method and the rest of the chapter goes on to debunk it and list the alternatives.

ascendant123 said,
I just realised where you got your comments on CDN's and it's a 10 year old conference paper. The mechanisms that modern CDN's use are vastly changed.

The paper that you quote almost verbatim even mentions the inherent limitations with that method and the rest of the chapter goes on to debunk it and list the alternatives.


Ohhh snap

ascendant123 said,
I just realised where you got your comments on CDN's and it's a 10 year old conference paper. The mechanisms that modern CDN's use are vastly changed.

The paper that you quote almost verbatim even mentions the inherent limitations with that method and the rest of the chapter goes on to debunk it and list the alternatives.

Actually, Internap and Akami, two of the biggest CDN providers both use DNS-based routing, and I'm sure there are others. I'm not sure what paper you are referring to, as this story is not based on any papers, care to provide a link so I can check it out?

ascendant123 said,
they use your IP, not your DNS servers IP, to determine your location. If you have evidence otherwise, please reference it.

Urm, the fact that when you use a recursive DNS server, such as that provided by your ISP, or one of these third party services, the authoritative nameservers never see your IP address, as the request to them is sent from your ISP/3rd-party DNS server, not directly from your machine.

ascendant123 said,
The entire section on CDN's is wrong regardless. The use of a third-party DNS does not affect the CDN to which you are attached; while it is true CDNs typically use round-robin DNS and other DNS mechanisms to load balance to a CDN node they use your IP, not your DNS servers IP, to determine your location. If you have evidence otherwise, please reference it.

Exactly what I was thinking...

DaveLegg said,

Actually, Internap and Akami, two of the biggest CDN providers both use DNS-based routing, and I'm sure there are others. I'm not sure what paper you are referring to, as this story is not based on any papers, care to provide a link so I can check it out?

Urm, the fact that when you use a recursive DNS server, such as that provided by your ISP, or one of these third party services, the authoritative nameservers never see your IP address, as the request to them is sent from your ISP/3rd-party DNS server, not directly from your machine.

I'll track down the link for you; apologies for the insinuation. I can't speak to the actual implementation for Akamai or Internap but many CDN providers (such as CacheFly and MaxCDN) use BGP anycasting to redirect you correctly (which is the same technique that Google uses to redirect you to a local Google public DNS as well).

The reality is that there are many more lower layer routing tricks that can be done to correctly geolocate content in the exact same way that DNS geolocation works. There is also an IETF standard to include IP information in DNS requests that is slowly being implemented in all major implementations (see http://tools.ietf.org/html/dra...ndergaast-edns-client-ip-01). There is of course also the case where many CDNs are using embedded scripts or other more advanced techniques to correctly separate DNS and location based services, though these are the minority right now.

Regardless even if this was the case both OpenDNS and Google DNS pair their DNS server locations with major providers POPs so that this issue is largely avoided; combine this with the fact that hundreds of exhaustive tests were conducted a few years ago to prove that this difference is negligible.

This link should probably be included in the article to minimise the FUD that it generates: http://code.google.com/p/namebench/

This tool will test a number of different CDN's and DNS servers in a bid to determine which works best for you in your location. The majority of the US/UK/Europe will be better served by OpenDNS or Google and the majority of Asia will be better served by Google (or in some cases their local ISP, the far minority) especially as many ISPs in Asia are vastly smaller then US based ISPs and thus invest less in their DNS infrastructure.

I think overall this article is largely one-sided that doesn't do much but confuse people. There is not enough research, background, coverage or testing to be anything more then FUD; I might reconsider that opinion if there was at least some semblance of (even anecdotal) evidence.

Edited by ascendant123, Jun 12 2010, 11:26am :

DaveLegg said,
See this post on OpenDNS's forums by Bill Fumerola, ex-director of network engineering there, confirming my point: http://forums.opendns.com/comm...hp?DiscussionID=1096#Item_7

Please see this quote, from your link:

the link
OpenDNS also can open a discussion with Akamai on a method to pass the original client's IP to their servers (via DNS or other means) so Akamai can return an IP to us that is closer to the original requester.

Then refer to the IETF draft linked above; Bill's post is also two years old (and was also largely debunked in a slashdot article on the topic last year, I'll find it in a little bit). The bottom line for a CDN making use of DNS for geolocation is that the density and locations of CDN servers corresponds to demand; just as the location of third-party DNS locations does. For example in Australia, the (only?) Akamai server is incredibly slow whereas the NYC server delivers full throughput of 2.0MB/s for me.

The bottom line is that supply and demand means that only the minority will experience issues.

Ahh, I see I missed the date on that post, didn't realise it was quite so old.

While I don't have enough servers around the world to run thorough tests on this myself, I've done a bit of looking around, and found this blog post from Softlayer, a major player in the dedicated server world: http://theinnerlayer.softlayer.com/2010/dns-from-all-angles/ which links to here: http://www.sajalkayan.com/in-a...d-opendns-is-the-enemy.html where someone who does have access to servers around the world to run good tests on this, and his findings back up my claims.

DaveLegg said,
Ahh, I see I missed the date on that post, didn't realise it was quite so old.

While I don't have enough servers around the world to run thorough tests on this myself, I've done a bit of looking around, and found this blog post from Softlayer, a major player in the dedicated server world: http://theinnerlayer.softlayer.com/2010/dns-from-all-angles/ which links to here: http://www.sajalkayan.com/in-a...d-opendns-is-the-enemy.html where someone who does have access to servers around the world to run good tests on this, and his findings back up my claims.

Please see the below in direct response, by the founder of OpenDNS (full disclosure, etc, the whole thread has interesting remarks on both sides if you are interested), to the blog you reference.

http://tech.slashdot.org/comme...id=1669064&cid=32389146

SoftLayer also reference that they make use of the BGP anycasting method I reference earlier to bypass this problem for their customers.

http://tech.slashdot.org/comme...id=1669064&cid=32389726 is another interesting comment that backs up my argument. the user there is testing from a home machine on a consumer grade internet connection, and his results show that after looking up the IP for internap via google's offering, the ip he gets back is far slower for him, while for other resolvers and cdns, the results are pretty equal.

Performance does massively depend on where you are located in the world, and who your ISP is, I accept that. If you look at the results though, generally performance of CDNs is either the same, or worse. If it's the same, then why switch, if it's worse, then definitely don't switch.

DaveLegg said,
http://tech.slashdot.org/comme...id=1669064&cid=32389726 is another interesting comment that backs up my argument. the user there is testing from a home machine on a consumer grade internet connection, and his results show that after looking up the IP for internap via google's offering, the ip he gets back is far slower for him, while for other resolvers and cdns, the results are pretty equal.

Performance does massively depend on where you are located in the world, and who your ISP is, I accept that. If you look at the results though, generally performance of CDNs is either the same, or worse. If it's the same, then why switch, if it's worse, then definitely don't switch.

Check out the response time for OpenDNS in his results however; Google is way worse but OpenDNS is pretty amazing. The point is that the vast vast majority of the world (and Neowin readers, mind you) will benefit from these services, or at least not suffer. As to why switch... that's been covered elsewhere in the comments. If you are asking why to switch purely in terms of speed then obviously there's no answer--but that's a very unrealistic and one sided approach.

I understand that you recognise but when posting a front page news item (read: not a forum post, which I would of happily participated in in a more neutral format) you are misleading readers who do not have the same understanding that you do.

ascendant123 said,
I understand that you recognise but when posting a front page news item (read: not a forum post, which I would of happily participated in in a more neutral format) you are misleading readers who do not have the same understanding that you do.

The question I posed, was do they improve your experience, and the part of that experience I focused on was speed. My conclusion, which I believe you will agree is accurate, was that they will not enhance your browsing speed, it may remain the same, or get worse, but changing DNS providers will not make it faster (aside from maybe increasing the speed of the initial lookup, but since that is cached after that, it's a small enough difference to ignore).

I commented in the last paragraph that there are other features of these services which do make them worthwhile, but for those changing and hoping to see a speed increase, they should examine their decision to do so.

Decaytion said,
Google DNS has proven to be faster, a noticeable speed increase actually, compared to Cox Communication's DNS here in Vegas.

I wonder to what extent it is the DNS actually being faster or if pages are just loading faster because ads are not being loaded.

I use OpenDNS now, I was having all sorts of trouble with sites not being located with Comcast's DNS, so when I switched to OpenDNS the responses were much better, plus, I am able to block certain sites that I do not want certain people to view. So yes, IMO switching to an alternate DNS server did help.

jnelsoninjax said,
I use OpenDNS now, I was having all sorts of trouble with sites not being located with Comcast's DNS, so when I switched to OpenDNS the responses were much better, plus, I am able to block certain sites that I do not want certain people to view. So yes, IMO switching to an alternate DNS server did help.

I use OpenDNS too as I like the ability to block illegal web domains on my network. Their blocking of phishing domains is also welcome.

Keep in mind though that this only blocks the domain name. If somebody on your network knows the IP address of a site you are blocking with OpenDNS, they can still get to it by typing that IP address into the browser directly.

TCLN Ryster said,

I use OpenDNS too as I like the ability to block illegal web domains on my network. Their blocking of phishing domains is also welcome.

Keep in mind though that this only blocks the domain name. If somebody on your network knows the IP address of a site you are blocking with OpenDNS, they can still get to it by typing that IP address into the browser directly.

same here, ISP resolving was poor on some important sites, since moving to OpenDNS a few years back, we have had flawless service, and filtering & anti-phising to boot. Finally got rid of those pesky social sites -- staff were on them all the time.

Yes they do. Blocking ads and other crap at the DNS level is a great source of protection, preventing websites from redirecting you without your consent is another. I'm not sure about the performance improvement claims, but the previous two features alone make them well worth it.

Google DNS and OpenDns are much faster than my ISPs. Plus with Opendns I can block some domains, which is nice.

Overall, Google's DNS is probably my favorite, no ads.

ObiWanToby said,
Google DNS and OpenDns are much faster than my ISPs. Plus with Opendns I can block some domains, which is nice.

Overall, Google's DNS is probably my favorite, no ads.

Just and FYI to people, there are several ways to block domains at your system and local router level. You don't have to use a an external DNS for this.

ObiWanToby said,
Google DNS and OpenDns are much faster than my ISPs. Plus with Opendns I can block some domains, which is nice.

Overall, Google's DNS is probably my favorite, no ads.


I have never seen any problems with my ISP's DNS. Lookups happen in the blink of an eye, if something else was faster I wouldn't be able to tell. Plus, most domains have a TTL of at least an hour. So that means you only use the DNS server once per hour per domain name. What does shaving a few fractions of a second of every hour really help?

sphbecker said,

I have never seen any problems with my ISP's DNS. Lookups happen in the blink of an eye, if something else was faster I wouldn't be able to tell. Plus, most domains have a TTL of at least an hour. So that means you only use the DNS server once per hour per domain name. What does shaving a few fractions of a second of every hour really help?

For most people, it really doesn't help much. Not only are most ISP's DNS ok, but you have additional local caching on modern OSes.

These are handy for the small town or backwoods ISPs that either have old DNS servers or ones that go down, etc. There are some places that the ISPs DNS server isn't so 'local' either.

If the service pops back sites 'consistently' faster than your ISP, they are worth trying out. Again, it just depends on the ISP and some ISPs are going to be better than going out farther with more latency to these services.

I have servers around the world that also provide DNS for myself as they pull from the original nameservers. Sometimes one 1,000 miles away will be far faster than a local ISP or a NAT DNS server like if you are staying in a hotel that is just a slow router.

There is no 'right' or wrong answer, it depends on ISP, and location, travel, etc.

ObiWanToby said,
Google DNS and OpenDns are much faster than my ISPs. Plus with Opendns I can block some domains, which is nice.

Overall, Google's DNS is probably my favorite, no ads.

Seriously? *much faster? Or placebo faster?

Even slow DNS resolution occurs extremely quickly.

MS Pandya said,

Seriously? *much faster? Or placebo faster?

Even slow DNS resolution occurs extremely quickly.

You might not of experienced it but a lot of ISPs DNS can time out completely for sometimes minutes at a time, which is probably what a lot of people refer to as 'faster' (and some just hold for 10 seconds and do nothing).

MS Pandya said,

Seriously? *much faster? Or placebo faster?

Even slow DNS resolution occurs extremely quickly.


There is software that can test the responses for DNS requests to your ISP and other various DNS services. In my own experience with said software, my ISP was (on average) 300% faster than OpenDNS and around 200% faster than Google DNS.

Nagisan said,

There is software that can test the responses for DNS requests to your ISP and other various DNS services. In my own experience with said software, my ISP was (on average) 300% faster than OpenDNS and around 200% faster than Google DNS.

You are correct. I just used the DNS "dig" utility and was receiving a DNS reply back from opendns in 28ms as compared to 16ms from my ISP.